CVE-2022-25349: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 3, 2022

All versions of package materialize-css is vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as <not-a-tag />) that is being parsed as HTML/JavaScript, and inserted into the Document Object Model (DOM). This vulnerability can be exploited when the user-input is provided to the autocomplete component.

References

github.com/Dogfalo/materialize/blob/v1-dev/js/autocomplete.js%23L285%20
github.com/advisories/GHSA-7jvx-f994-rfw2
nvd.nist.gov/vuln/detail/CVE-2022-25349
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2766498
snyk.io/vuln/SNYK-JS-MATERIALIZECSS-2324800

Detect and mitigate CVE-2022-25349 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →